Merge pull request #3932 from jumpserver/dev_oidc

[Update] 添加oidc-op配置信息
2020-04-22 11:11:47 +08:00 · 2020-04-22 11:11:47 +08:00 · 56f38e57bc
parent 306605915c 586c04cba6
commit 56f38e57bc
6 changed files with 38 additions and 12 deletions
--- a/apps/authentication/templates/authentication/login.html
+++ b/apps/authentication/templates/authentication/login.html
@ -52,14 +52,21 @@
            </div>
        </div>

-        {% if AUTH_OPENID %}
+        {% if AUTH_OPENID or AUTH_OIDC_RP %}
            <div class="hr-line-dashed"></div>
            <p class="text-muted text-center">{% trans "More login options" %}</p>
            <div>
+                {% if AUTH_OIDC_RP %}
+                    <button type="button" class="btn btn-default btn-sm btn-block" onclick="location.href='{% url 'authentication:oidc-rp:oidc-login' %}'">
+                        <i class="fa fa-openid"></i>
+                        {% trans 'OpenID' %}
+                    </button>
+                {% elif AUTH_OPENID %}
                <button type="button" class="btn btn-default btn-sm btn-block" onclick="location.href='{% url 'authentication:openid:openid-login' %}'">
                    <i class="fa fa-openid"></i>
                    {% trans 'Keycloak' %}
                </button>
+                {% endif %}
            </div>
        {% endif %}

--- a/apps/authentication/views/login.py
+++ b/apps/authentication/views/login.py
@ -113,6 +113,7 @@ class UserLoginView(mixins.AuthMixin, FormView):
        context = {
            'demo_mode': os.environ.get("DEMO_MODE"),
            'AUTH_OPENID': settings.AUTH_OPENID,
+            'AUTH_OIDC_RP': settings.AUTH_OIDC_RP,
        }
        kwargs.update(context)
        return super().get_context_data(**kwargs)
--- a/apps/jumpserver/conf.py
+++ b/apps/jumpserver/conf.py
@ -143,15 +143,16 @@ class Config(dict):
        'AUTH_OPENID_IGNORE_SSL_VERIFICATION': True,
        'AUTH_OPENID_SHARE_SESSION': True,

+
        'AUTH_OIDC_RP': False,
        'OIDC_RP_CLIENT_ID': 'client-id',
        'OIDC_RP_CLIENT_SECRET': 'client-secret',
-        'OIDC_RP_PROVIDER_ENDPOINT': 'provider-endpoint',
-        'OIDC_RP_PROVIDER_AUTHORIZATION_ENDPOINT': 'provider-authorization-endpoint',
-        'OIDC_RP_PROVIDER_TOKEN_ENDPOINT': 'provider-token-endpoint',
-        'OIDC_RP_PROVIDER_JWKS_ENDPOINT': 'provider-jwks-endpoint',
-        'OIDC_RP_PROVIDER_USERINFO_ENDPOINT': 'provider-userinfo-endpoint',
-        'OIDC_RP_PROVIDER_END_SESSION_ENDPOINT': 'end-session-endpoint',
+        'OIDC_RP_PROVIDER_ENDPOINT': 'https://op-endpoint.com',
+        'OIDC_RP_PROVIDER_AUTHORIZATION_ENDPOINT': 'https://op-endpoint.com/authorize',
+        'OIDC_RP_PROVIDER_TOKEN_ENDPOINT': 'https://op-endpoint.com/token',
+        'OIDC_RP_PROVIDER_JWKS_ENDPOINT': 'https://op-endpoint.com/jwk',
+        'OIDC_RP_PROVIDER_USERINFO_ENDPOINT': 'https://op-endpoint.com/userinfo',
+        'OIDC_RP_PROVIDER_END_SESSION_ENDPOINT': 'https://op-endpoint.com/logout',
        'OIDC_RP_ID_TOKEN_MAX_AGE': 60,

        'AUTH_RADIUS': False,
@ -292,9 +293,6 @@ class DynamicConfig:
        return lambda: self.get(item)

    def LOGIN_URL(self):
-        auth_openid = self.get('AUTH_OPENID')
-        if auth_openid:
-            return reverse_lazy("authentication:openid:openid-login")
        return self.get('LOGIN_URL')

    def AUTHENTICATION_BACKENDS(self):
--- a/apps/jumpserver/settings/auth.py
+++ b/apps/jumpserver/settings/auth.py
@ -59,6 +59,9 @@ AUTH_OPENID_LOGIN_COMPLETE_URL = reverse_lazy("authentication:openid:openid-logi
 # oidc rp
 # jumpserver
 AUTH_OIDC_RP = CONFIG.AUTH_OIDC_RP
+if AUTH_OIDC_RP:
+    # 优先使用AUTH_OIDC_RP
+    AUTH_OPENID = False
 OIDC_RP_LOGIN_URL_NAME = "authentication:oidc-rp:oidc-login"
 OIDC_RP_LOGIN_CALLBACK_URL_NAME = "authentication:oidc-rp:oidc-callback"
 OIDC_RP_LOGOUT_URL_NAME = "authentication:oidc-rp:oidc-logout"
--- a/apps/users/utils.py
+++ b/apps/users/utils.py
@ -326,7 +326,7 @@ def get_source_choices():
    ]
    if settings.AUTH_LDAP:
        choices.append((User.SOURCE_LDAP, choices_all[User.SOURCE_LDAP]))
-    if settings.AUTH_OPENID:
+    if settings.AUTH_OPENID or settings.AUTH_OIDC_RP:
        choices.append((User.SOURCE_OPENID, choices_all[User.SOURCE_OPENID]))
    if settings.AUTH_RADIUS:
        choices.append((User.SOURCE_RADIUS, choices_all[User.SOURCE_RADIUS]))
--- a/config_example.yml
+++ b/config_example.yml
@ -55,7 +55,11 @@ REDIS_PORT: 6379
 # REDIS_DB_CACHE: 4

 # Use OpenID authorization
-# 使用OpenID 来进行认证设置
+#
+# 配置说明: 如果您使用的是Keycloak作为OP，可以使用方式1或方式2; 如果OP不是Keycloak, 请使用方式2
+#
+# 方式1: OpenID认证 (基于 oidc 协议的 keycloak 的实现)
+#
 # BASE_SITE_URL: http://localhost:8080
 # AUTH_OPENID: false  # True or False
 # AUTH_OPENID_SERVER_URL: https://openid-auth-server.com/
@ -64,6 +68,19 @@ REDIS_PORT: 6379
 # AUTH_OPENID_CLIENT_SECRET: client-secret
 # AUTH_OPENID_IGNORE_SSL_VERIFICATION: True
 # AUTH_OPENID_SHARE_SESSION: True
+#
+# 方式2: OpenID认证 (使用标准 oidc 协议进行认证)
+# 配置参数详细信息参考: https://django-oidc-rp.readthedocs.io/en/stable/settings.html
+#
+# AUTH_OIDC_RP: False
+# OIDC_RP_CLIENT_ID: client-id
+# OIDC_RP_CLIENT_SECRET: client-secret
+# OIDC_RP_PROVIDER_ENDPOINT: https://op-endpoint.com
+# OIDC_RP_PROVIDER_AUTHORIZATION_ENDPOINT: https://op-endpoint.com/authorize
+# OIDC_RP_PROVIDER_TOKEN_ENDPOINT: https://op-endpoint.com/token
+# OIDC_RP_PROVIDER_JWKS_ENDPOINT: https://op-endpoint.com/jwk
+# OIDC_RP_PROVIDER_USERINFO_ENDPOINT: https://op-endpoint.com/userinfo
+# OIDC_RP_PROVIDER_END_SESSION_ENDPOINT: https://op-endpoint.com/logout

 # Use Radius authorization
 # 使用Radius来认证